HTTPS-Only Mode Introduced by Firefox

For those that don’t know, the webpage you’re reading this article on features the security protocol of ‘HTTPS’ for example, https://cyberhoot.com/; meaning all data leaving this webpage to and from your web browser is encrypted. In other words, your data is secure from prying eyes between CyberHoot’s web server and your browser. The website itself can still be malicious in nature and someone could be shoulder surfing you at work.  Risks remain.

However, having HTTPS-enabled websites is crucial when entering passwords, credit card numbers, or other sensitive information. When accessing unencrypted HTTP-enabled sites, users can fall victim to eavesdropping due to data leakage. In 2020, multiple vendors have begun warning and protecting users who might not know that HTTP is unencrypted and unsafe to use.  In July of 2020, Google began flagging all HTTP websites as insecure. In late 2020, Firefox, the 3rd most commonly used browser online today, introduced a brand new security feature called ‘HTTPS-Only Mode‘. 

Firefox 83 Summary

Mozilla introduced this security feature in their Nov. 2020 release of Firefox – version 83. When you enable HTTPS-Only Mode these things happen:

  • Firefox attempts to establish fully secure connections to every website, and
  • Asks for your permission before connecting to a website that doesn’t support secure connections.

How HTTPS-Only Works

As we now know, data transferred by conventional HTTP protocol is unprotected and transferred in cleartext, allowing hackers to view, steal, or even tamper with your data. You know a website is using HTTPS when you see the lock icon in the address bar:

firefox

The majority of websites support HTTPS, and those that don’t should be viewed with suspicion. Regrettably, some otherwise secure https websites support and serve content using the insecure and outdated HTTP protocol instead of redirecting you to use https. This could be by accidental, by misconfiguration, or malicious in nature.  Regardless of why, these sites put you and your data at risk and should be avoided.

Mozilla now protects users by always forcing the use of secure https. When enabled, HTTPS-Only Mode attempts a fully secured HTTPS connection to your target website regardless of whether you click on an HTTP link or not. HTTPS-Only Mode ensures Firefox doesn’t make any insecure connections without your permission (you can bypass the warning and still visit HTTP sites. In this HTTPS-Only-Mode, Firefox automatically replaces HTTP with HTTPS when typing a URL manually as shown below:

How to turn on HTTPS-Only Mode

Turning on this HTTPS-Only Mode is simple:

  1. Click on Firefox’s menu button and choose “Preferences”.
  2. Select “Privacy & Security” and scroll down to the section “HTTPS-Only Mode”.
  3. Choose “Enable HTTPS-Only Mode in all windows”.

Once HTTPS-Only Mode is enabled, you can perform all standard tasks with confidence knowing that Firefox will upgrade connections by default to be secure whenever possible. For the minuscule number of websites that don’t yet support HTTPS, Firefox will display an error message that explains the security risk and asks you whether or not you want to connect to the website using HTTP. Here’s what the error message looks like:

Other Risks

Some websites use HTTPS in most cases, but for performance reasons, may serve resources such as images, videos, or large data sets, only over HTTP. Consequently, the web page looks secure , with a lock symbol, but behaves insecurely.  In these cases, HTTPS mode may not function correctly and you may need to disable HTTPS-Only Mode temporarily (but do this cautiously; only if the data you’re seeking is not risky to transfer unencrypted). Here’s how:

Websites Today and in the futures are HTTPS-Only

2020 was the year all websites transitions to HTTPS only mode.  If your website is not HTTPS-only in everything it does, you will be flagged by Google and Firefox (70% of all Internet browsers as of Nov. 2020).  Upgrade your website today to only use HTTPS.

A video explanation of HTTPS-ONLY Mode (as well as HSTS protocol):
Share this on your social networks. Help Friends, Family, and Colleagues become more aware and secure.